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Imperative Process Algebra with Abstraction 


C.A. MIDDELBURG! 


Abstract 


This paper introduces an imperative process algebra based on ACP 
(Algebra of Communicating Processes). Like other imperative process 
algebras, this process algebra deals with processes of the kind that 
arises from the execution of imperative programs. It distinguishes 
itself from already existing imperative process algebras among other 
things by supporting abstraction from actions that are considered not 
to be visible. The support of abstraction of this kind opens interesting 
application possibilities of the process algebra. This paper goes briefly 
into the possibility of information-flow security analysis of the kind that 
is concerned with the leakage of confidential data. For the presented 
axiomatization, soundness and semi-completeness results with respect 
to a notion of branching bisimulation equivalence are established. 
Keywords: imperative process algebra, abstraction, branching 
bisimulation, information-flow security, data non-interference with 
interactions. 


1 Introduction 


Generally speaking, process algebras focus on the main role of a reactive 
system, namely maintaining a certain ongoing interaction with its envi- 
ronment. Reactive systems contrast with transformational systems. A 
transformational system is a system whose main role is to produce, without 
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interruption by its environment, output data from input data.? In general, 
early computer-based systems were transformational systems. Nowadays, 
many systems are composed of both reactive components and transforma- 
tional components. A process carried out by such a system is a process 
in which data are involved. Usually, the data change in the course of the 
process, the process proceeds at certain stages in a way that depends on 
the changing data, and the interaction of the process with other processes 
consists of communication of data. 

This paper introduces an extension of ACP [6] with features that are 
relevant to processes of the kind referred to above. The extension concerned 
is called ACP7-I. Its additional features include assignment actions to change 
the data in the course of a process, guarded commands to proceed at certain 
stages of a process in a way that depends on the changing data, and data 
parameterized actions to communicate data between processes. The processes 
of the kind that ACP?-I is concerned with are reminiscent of the processes 
that arise from the execution of imperative programs. In [33], the term 
imperative process algebra was coined for process algebras like ACP7-I. 
Other imperative process algebras are VPLA [27], IPAL [33], CSP. [16], 
AWN [19], and the unnamed process algebra introduced in [13]. 

ACP7-I distinguishes itself from those imperative process algebras by 
being the only one with the following three properties: 


(1) it supports abstraction from actions that are considered not to be 
visible; 


(2) a verification of the equivalence of two processes in its semantics is 
automatically valid in any semantics that is fully abstract with respect 
to some notion of observable behaviour (cf. [41]); 


(3) it offers the possibility of equational verification of process equivalence. 


CSP, is the only one of the above-mentioned imperative process algebras 
that has property (1) and none of them has property (2). ACP7-I is probably 
unique in being the only imperative process algebra with properties (1), (2) 
and (3). 

Property (1) is achieved by providing a special constant (called the 
silent step constant), special operators (called abstraction operators), and an 
appropriate notion of equivalence of processes in the semantics of ACP7-I. 


?-The terms reactive system and transformational system are used here with the meaning 
given in [26]. 
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Property (2) is achieved by using a notion of branching bisimulation equiv- 
alence [41] for the equivalence of processes in the semantics of ACP?-I. 
Property (3) is achieved by providing an equational axiomatization of the 
equivalence concerned. 


Property (1) is essential for the verification of properties concerning the 
external behaviour of a system. Property (2) is desirable for such verifications 
in applications where the final word on what exactly is observable behaviour 
has not been pronounced. This means that ACP7-I is an interesting process 
algebra for the verification of properties concerning the external behaviour 
of a system whose description calls for an imperative process algebra. It 
makes ACP7-I, among other things, suitable for the verification of properties 
concerning the information-flow security of a system in which confidential 
and non-confidential data, contained in state components of the system, are 
looked up and changed and an ongoing interaction with the environment of 
the system is maintained. 


A great part of the work done on information-flow security is con- 
cerned with secure information flow in programs, where information flow 
in a program is considered secure if information derivable from the con- 
fidential data contained in its high-security variables cannot be inferred 
from the non-confidential data contained in its low-security variables (see 
e.g. [42, 40, 12, 34, 10]). A notable exception is the work done in a process- 
algebra setting, where the focus has shifted from programs to processes of 
the kind to which programs in execution belong and where the information 
flow in a process is usually considered secure if information derivable from 
confidential actions cannot be inferred from non-confidential actions (see 
e.g. [20, 36, 11, 31]). 

Recent work done on information-flow security in a process-algebra 
setting occasionally deals with the data-oriented notion of secure information 
flow, but on such occasions program variables are always mimicked by 
processes (see e.g. [21, 29]). A suitable imperative process algebra would 
obviate the need to mimic program variables. This state of affairs motivated 
the development of ACP7-I. This paper also shows how ACP7-I can be used 
for information-flow security analysis of the kind that is concerned with the 
leakage of confidential data. 


The development of ACP7-I was primarily aimed at obtaining an im- 
perative process algebra with the properties that are designated above as 
essential and desirable for the verification of properties concerning the exter- 
nal behaviour of a system. The starting point of the development of ACP7-I 
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is ACP? [3, Section 5.3], which is a non-imperative process algebra with 
these properties. This makes it a convenient starting point in view of the 
primary aim of the development. 

ACP7-I is closely related to ACP?-D [9]. The main differences between 
them can be summarized as follows: 


(a) only the former supports abstraction from actions that are considered 
not to be visible; 


(b) only the latter has an iteration operator. 


This paper introduces, in addition to ACP7-I, guarded linear recursion in 
the setting of ACP?7-I. The set of processes that can be defined by means of 
the operators of ACP7-I extended with the iteration operator is a proper 
subset of the set of processes that can be defined by means of guarded linear 
recursion in the setting of ACP7-I. Therefore, (a) should be considered the 
important difference. However, using the semantics of ACP?-D as presented 
in [9] as the starting point of the semantics of ACP7-I turned out to result 
in a semantics that is too complicated to establish the soundness and semi- 
completeness results. 

This paper is organized as follows. First, a survey of the algebraic theory 
ACP7, which is the extension of ACP with the empty process constant € and 
the silent step constant 7, is given (Section 2). Next, the algebraic theory 
ACP7-I is introduced as an extension of ACP7 (Section 3) and guarded 
linear recursion in the setting of ACP7-I is treated (Section 4). After that, 
a structural operational semantics of ACP{-I is presented and a notion of 
branching bisimulation equivalence based on this semantics is defined (Sec- 
tion 5). Following this, the reasons for two relatively uncommon choices made 
in the preceding sections are clarified (Section 6). Then, results concerning 
the soundness and (semi-)completeness of the given axiomatization with 
respect to branching bisimulation equivalence are established (Section 7). 
Thereafter, it is explained how ACP{-I can be used for information-flow 
security analysis of the kind that is concerned with the leakage of confidential 
data (Section 8). Finally, some concluding remarks are made (Section 9). 

There is also an appendix in which, for comparison, an alternative 
structural operational semantics of ACP7-I is presented and a notion of 
branching bisimulation equivalence based on this alternative structural 
operational semantics is defined. The alternative in question is the above- 
mentioned result of using the structural operational semantics of ACP?-D 
as the starting point. 
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Section 2, Section 3, and the appendix mainly extend the material in 
Section 2, Section 3, and Section 4, respectively, of [9]. Portions of that 
material have been copied near verbatim or slightly modified. 


2 ACP with Empty Process and Silent Step 


In this section, ACP? is presented. ACP7 is ACP [6] extended with the 
empty process constant ¢€ and the silent step constant 7 as in [3, Section 5.3). 
In ACP7, it is assumed that a fixed but arbitrary finite set A of basic actions, 
with 7,6,e¢ ¢ A, and a fixed but arbitrary commutative and associative 
communication function y: (AU {7,6}) x (AU {7,6}) > (AU {7, 6}), such 
that y(7,a) = 6 and 7(06, a) = 6 for all a € AU {7, 6}, have been given. Basic 
actions are taken as atomic processes. The function ¥y is regarded to give 
the result of synchronously performing any two basic actions for which this 
is possible, and to be 6 otherwise. Henceforth, we write A; for AU {rT}. 

The algebraic theory ACPZ7 has one sort: the sort P of processes. This 
sort is made explicit to anticipate the need for many-sortedness later on. 
The algebraic theory ACP? has the following constants and operators to 
build terms of sort P: 


e for each a € A, the basic action constant a: P; 

e the silent step constant 7: P; 

e the inaction constant 6: P; 

e the empty process constant €: P; 

e the binary alternative composition operator +:P x P > P; 
e the binary sequential composition operator -:P x P > P; 

e the binary parallel composition operator ||: P x P > P; 

e the binary left merge operator || :P x P > P; 

e the binary communication merge operator |: P x P > P; 


e for each H C A and for H = A,, the unary encapsulation operator 
On :P—>P; 


e for each I CA, the unary abstraction operator T;: P > P. 
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It is assumed that there is a countably infinite set VY of variables of sort P, 
which contains x, y and z. Terms are built as usual. Infix notation is used 
for the binary operators. The following precedence conventions are used 
to reduce the need for parentheses: the operator - binds stronger than all 
other binary operators and the operator + binds weaker than all other 
binary operators. 

The constants of ACP7 can be explained as follows (a € A): 


e a denotes the process that performs the observable action a and after 
that terminates successfully; 


e 7 denotes the process that performs the unobservable action 7 and 
after that terminates successfully; 


e ¢ denotes the process that terminates successfully without performing 
any action; 


e 6 denotes the process that cannot do anything, it cannot even terminate 
successfully. 


Let t and t’ be closed ACP? terms denoting processes p and p’, respectively, 
let H CA or H =A,, and let J CA. Then the operators of ACP? can be 
explained as follows: 


e t+’ denotes the process that behaves either as p or as p’, where the 
choice between the two is resolved at the instant that one of them 
performs its first action or terminates successfully without performing 
any action, and not before; 


e t-t’ denotes the process that first behaves as p and following successful 
termination of p behaves as p’; 


e ¢ || t’ denotes the process that behaves as p and p’ in parallel, by 
which is meant that, each time an action is performed, either a next 
action of p is performed or a next action of p’ is performed or a next 
action of p and a next action of p’ are performed synchronously — 
successful termination may take place at any time that both p and p’ 
can terminate successfully; 


e ¢ || t’ denotes the same process as t || t’, except that it starts with 
performing an action of p; 
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e ¢ | t’ denotes the same process as t || t’, except that it starts with 
performing an action of p and an action of p’ synchronously; 


e Oy(t) denotes the process that behaves the same as p, except that 
actions from H are blocked from being performed; 


e 7,(t) denotes the process that behaves the same as p, except that 
actions from J are turned into the unobservable action T. 


The operators || and | are of an auxiliary nature. They make a finite 
axiomatization of ACP7 possible. 

The operator Og. can also be explained as follows: Oq,(t) denotes the 
process that behaves the same as € if t denotes a process that has the option 
to behave the same as ¢€ and it denotes the process that behaves the same 
as 6 otherwise. In [3, Section 5.3], the symbol ,/ is used instead of Op... 

The axioms of ACP7 are presented in Table 1. In these equations, a, }, 
and a stand for arbitrary constants of ACP? other than «, H stands for an 
arbitrary subset of A or the set A;, and J stands for an arbitrary subset 
of A. So, CM3, CM7, DO—-D4, TO-T4, and BE are actually axiom schemas. 
In this paper, axiom schemas will usually be referred to as axioms. 

The occurrence of the strange-looking term 0,(x) - Oa.(y) in axiom 
CM1E deserves some explanation. This term is needed to handle successful 
termination in the presence of €: it stands for the process that behaves 
the same as € if both x and y stand for a process that has the option to 
behave the same as ¢€ and it stands for the process that behaves the same 
as 6 otherwise. 

Notice that there are no operators Oy for H C A; with 7 © H in ACP?. 
If one or more of them were present, the equation a@-6 = @ would be derivable 
from the axioms of ACP7. 

In the sequel, the notation ee t;, where n > 1, will be used for 
right-nested alternative compositions. For each n € Nt,? the term )7'), ti 
is defined by induction on n as follows: 


n+l n 


1 
> =a and Sotto ta. 
i=1 i=1 i=1 


In addition, the convention will be used that y 4 =o. 


3We write N* for the set {n € N| n > 1} of positive natural numbers. 
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Table 1: Axioms of ACP7 


rty=yteu Al 
(o+y)+2=24(y+2) AQ 
t+neu=2 A3 
(c+y)-z=au-z+y-2 A4 
(v-y)-z=a-(y-2) A5 
a+d=2 A6 
b-r2=6 AZ 
Ue=2z A8 
e-L=2 AQ 
t\ly=xlly+ylLct+z|y+na(z)-Oa(y)  CMIE 
e||za=6 CM2E 
aa lly=a- (lly) CMB 
(e+y)|_z=2|Lz+y|L 2 CM4 
e|x=0 CM5E 
zle=d CM6E 
a-x|b-y=-y(a,6)- (x | y) CM7 
(c+ty)|z=al|z+y|z CM8 
el|(y+z)=alyt+2|z CM9 
Ou(€) =€ DO 
On(a) =a ifagH D1 
On(a) =6 ifacH D2 
On (x + y) = On(x) + On(y) D3 
On (x+y) = On(2) - On(y) D4 
Tr(€) =€ TO 
Tr(a) =a ifagéI Tl 
Tr(a) =T ifael T2 
tr(x + y) = T1(x) + Tr(y) T3 
T1(a-y) = Tr(x) - Tr(y) oe 
a-(7-(@+y)+2) =a: (4+ y) BE 


3 Imperative ACP? 


In this section, ACP7-I, imperative ACP7, is presented. This extension of 
ACP? has been inspired by [8]. It extends ACP? with features that are 
relevant to processes in which data are involved, such as guarded commands 
(to deal with processes that only take place if some data-dependent condition 
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holds), data parameterized actions (to deal with process interactions with 
data transfer), and assignment actions (to deal with data that change in the 
course of a process). 

In ACP7-I, it is assumed that the following has been given with respect 
to data: 


e a many-sorted signature Ua that includes: 


— asort D of data and a sort B of booleans; 
— constants of sort D and/or operators with result sort D; 
— constants tt and ff of sort B and operators with result sort B; 


e aminimal algebra D of the signature ig in which the carrier of sort B 
has cardinality 2 and the equation tt = ff does not hold. 


We write D for the set of all closed terms over the signature ao that are of 
sort D. The sort B is assumed to be given in order to make it possible for 
operators to serve as predicates. 

It is also assumed that a finite or countably infinite set V of flexible 
variables has been given. A flexible variable is a variable whose value may 
change in the course of a process.* Typical examples of flexible variables are 
the program variables known from imperative programming. An evaluation 
map is a function from Y to D. We write EM for the set of all evaluation maps. 

The algebraic theory ACP7-I has the following sorts: the sort P of 
processes, the sort C of conditions, and the sorts from Uo. 

It is assumed that there are countably infinite sets of variables of sort C 
and D and that the sets of variables of sort P, C, and D are mutually 
disjoint and disjoint from V. 

Below, the constants and operators of ACP7-I are introduced. The 
operators of ACP7-I include two variable-binding operators. The formation 
rules for ACP7-I terms are the usual ones for the many-sorted case (see 
e.g. (38, 43]) and in addition the following rule: 


e if O is a variable-binding operator O: S, x... x Sy, > S that binds a 
variable of sort S’, t1,...,tn are terms of sorts S1,..., Sn, respectively, 
and X is a variable of sort S’, then OX (t,,...,tn) is a term of sort S. 


An extensive formal treatment of the phenomenon of variable-binding opera- 
tors can be found in [35]. 


“The term flexible variable is used for this kind of variables in e.g. [39, 30]. 
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ACP7-I has the constants and operators from Ug to build terms of the 
sorts from “ig — which include the sort B and the sort D — and in addition 
the following constants to build terms of sort D: 


e for each v € Y, the flexible variable constant v: D. 


We write D for the set of all closed ACP?-I terms of sort D. 

Evaluation maps are intended to provide the data values assigned to 
flexible variables when an ACP?-I term of sort D is evaluated. However, in 
order to fit better in an algebraic setting, they provide closed terms over the 
signature Ug that denote those data values instead. The requirement that D 
is a minimal algebra guarantees that each data value can be represented by 
a closed term. 

ACP7-I has the following constants and operators to build terms of 
sort C: 


e the binary equality operator =:B x B—> C; 

e the binary equality operator =:D x D > C;> 

e the truth constant t: C; 

e the falsity constant f : C; 

e the unary negation operator =: C > C; 

e the binary conjunction operator \:C x C > C; 
e the binary disjunction operator V:C x C > C; 
e the binary implication operator >:C x C > C; 


e the unary variable-binding universal quantification operator V:C > C 
that binds a variable of sort D; 


e the unary variable-binding existential quantification operator 4:C > C 
that binds a variable of sort D. 


We write C for the set of all closed ACPZ-I terms of sort C. 

Each term from C can be taken as a formula of a first-order language 
with equality of © by taking the flexible variable constants as additional 
variables of sort D. The flexible variable constants are implicitly taken as 


>The overloading of = can be trivially resolved if Xo is without overloaded symbols. 
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additional variables of sort D wherever the context asks for a formula. In 
this way, each term from C can be interpreted as a formula in 9. 

ACP7-I has the constants and operators of ACP? and in addition the 
following operators to build terms of sort P: 


e the binary guarded command operator :—> :C x P > P; 


e for each n € N, for each a € A, the n-ary data parameterized action 
operator a:D x---x DP; 
RK 


n times 


e for each v € VY, a unary assignment action operator v:= :D — P; 


e for each o € EM, a unary evaluation operator Vz: P > P. 


We write P for the set of all closed ACP7-I terms of sort P. 

The same notational conventions are used as before. Infix notation is 
also used for the additional binary operators. Moreover, the notation [v:=e], 
where v € V and e is a ACP?-I term of sort D, is used for the term v := (e). 

The notation ¢ = w, where ¢ and w are ACP7-I terms of sort C, is 
used for the term (¢ > W) A (Ww = ¢). The axioms of ACP7-I (given below) 
include an equation ¢@ = w for each two terms ¢ and w from C for which the 
formula ¢ & w holds in D. 

Let t be a term from P, @ be a term from C, €1,...,@n and e be terms 
from D, and a be a basic action from A. Then the additional operators to 
build terms of sort P can be explained as follows: 


e the term ¢:—>¢ denotes the process that behaves as the process denoted 
by ¢ if condition ¢ holds and as 6 otherwise; 


e the term a(e1,...,€n) denotes the process that performs the data pa- 
rameterized action a(e1,...,@n) and after that terminates successfully; 


e the term [v := e] denotes the process that performs the assignment 
action [v := e], whose intended effect is the assignment of the result of 
evaluating e to flexible variable v, and after that terminates successfully; 


e the term V,(t) denotes the process that behaves the same as the 
process denoted by t except that each subterm of t that belongs 
to D is evaluated using the evaluation map o updated according to 
the assignment actions that have taken place at the point where the 
subterm is encountered. 


Evaluation operators are a variant of state operators (see e.g. [1]). 
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The following closed ACP7-I term is reminiscent of a program that 
computes the difference between two integers by subtracting the smaller one 
from the larger one (i, j,d € V): 


Id:=i]-((d@>f =t): [d:=d-j] + >j=f) > [d:=j-d) 8 


That is, the final value of d is the absolute value of the result of subtracting 
the initial value of i from the initial value of 7. An evaluation operator 
can be used to show that this is the case for given initial values of i and 7. 
For example, consider the case where the initial values of i and j are 11 
and 3, respectively. Let o be an evaluation map such that o(i) = 11 and 
o(j) = 3. Then the following equation can be derived from the axioms of 
ACP7-I given below: 


Vo([d:= i] -((d 2 j = tt): [d:=d—j) + (d= j =f): [d:=j — d))) 
= (dS |i = 8), 


This equation shows that in the case where the initial values of i and 7 are 11 
and 3 the final value of d is 8 (which is the absolute value of the result of 
subtracting 11 from 3). 

An evaluation map o can be extended homomorphically from flexible 
variables to ACP7-I terms of sort D and ACP7-I terms of sort C. These ex- 
tensions are denoted by o as well. Below, we write o{e/v} for the evaluation 
map o’ defined by o’(v’) = o(v’) if vu’ £ v and o'(v) =e. 

Three subsets of P are defined: 


Apes nent {eleis:-,en) |@EAN C100. ee € D} , 
A = {lv:=e]|vEeVAecED}, 
A Se wen VArUA. 


In ACP7-I, the elements of A are the terms from P that denote the processes 
that are considered to be atomic. Henceforth, we write A, for AU {7} 
and A,5 for AU {r, 6}. 

The axioms of ACP?7-I are the axioms presented in Table 1, on the 
understanding that a@ now stands for an arbitrary term from A,5, H now 
stands for an arbitrary subset of A or the set A,;, and J now stands for 
an arbitrary subset of A, and in addition the axioms presented in Table 2. 
In the latter table, @ and w stand for arbitrary terms from C, e, €1, €9,..., 


°Here and in examples to come, the carrier of D is assumed to be the set of all integers. 
Moreover, the usual integer constants, operators on integers, and predicates on integers 
are assumed (where operators with result sort B serve as predicates). 
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e=e' ifD -e=e' IMP1 
pod ifD Edo IMP2 
tioxr=2 GCl 
f:imax4r=6 GC2 
me ee Gc3 
o:3(x@t+y)=b:5 t+ y GC4 
og: 7u-y=(b:>2)-y GC5 
o:9(Piearjl=(dAy):9 4 GC6 
(OV) A e=ob:944+Y:52 GC7 
(6:42) Ly=4:4 (ly) GCs 
(+2) (y=e CD) Gcg 
“(@sy=04 Cly) GC10 
Ou(o Hrd x) = og: Ou (a) GCl11 
T1(¢: &) = 6: 7T1(2) GC12 
Vo(e) =e vo 
Vo(T- 2) =T-Vo(z) V1 
Vo(a-%) =a-Vo(a) v2 
Vo(a(ei,---,@n)- 2) = a(a(er),.--,0(€n)) - Vo(x) V3 
Vo([u :=e]- x) = [v:=o(e)] - Vopo(e)/v} (2) v4 
Vo(at+y) = Voe(x) + Vo(y) V5 
V.e(¢:> y) = 0(¢) :> Va (x) V6 
a(e1,...,€n)- «| b(e}, en) y= 

(er =e A...A €n = en) > C(e1,.--,€n) (ally) if y(a,b) =e CM7Da 
a(e1,..-,€n)- «| b(e},.--,€m) y= if y(a,b) =dorn#m CM7Db 
a(ée1,..-,€n)-rla-y=6 ifag¢ Aw CM7Dc 
a-«@|a(ei,...,€n):-y=5 ifa¢ AM CM7Dd 
[u:=e]-rla-y=6 CM7De 
a-a|[v:=el-y=d CM7Df 
a-( oT -(a+y)+¢:9 2) =a-(d:> (e+ y)) BED 
and e’, e|,e5,... stand for arbitrary terms from D, v stands for an arbi- 


trary flexible variable from VY, o stands for an arbitrary evaluation map 
from EM, a,b, and c stand for arbitrary basic actions from A, and a stands 


for an arbitrary term from A,5. 


Axioms GC1—GC12 have been taken from [2] (using a different number- 
ing), but with the axioms with occurrences of Hoare’s ternary counterpart 
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of the guarded command operator (see below) replaced by simpler axioms. 
Axioms CM7Da and CM7Db have been inspired by [8]. Axiom BED is 
axiom BE generalized to the current setting. An equivalent axiomatization is 
obtained if axiom BED is replaced by the equation a: (¢:>7-x%) = a:(¢: 2). 

Some earlier extensions of ACP include Hoare’s ternary counterpart of 
the binary guarded command operator (see e.g. [2]). This operator can be 
defined by the equation x duby=u:>32+4+(Hu):> y. From this defining 
equation, it follows that u:> « =x <ub 0. In [25], a unary counterpart of 
the binary guarded command operator is used. This operator can be defined 
by the equation {u} = u:— e. From this defining equation, it follows that 
u:—>a« = {u}-2 and also that {t} = « and {f} = 6. 


4 ACP/-I with Recursion 


A closed ACP7-I term of sort P denotes a process with a finite upper bound 
to the number of actions that it can perform. Recursion allows the description 
of processes without a finite upper bound to the number of actions that it 
can perform. 

A recursive specification over ACP7-I is a set {X; = t; | 7 € I}, where I 
is a finite set, each X; is a variable from 1, each t; is a ACPZ-I term of 
sort P in which only variables from {X; | i € I} occur, and X; # X; for all 
i,j € I with i #7. We write vars(F), where F is a recursive specification 
over ACP?-I, for the set of all variables that occur in FE. Let E be a recursive 
specification and let X € vars(£). Then the unique equation X=t € EF is 
called the recursion equation for X in E. 

Below, recursive specifications over ACP7-I are introduced in which the 
right-hand sides of the recursion equations are linear ACP7-I terms. The 
set L of linear ACP{-I terms is inductively defined by the following rules: 


© JEL; 

e if @EC, then d:5€€ L; 
eifpeC,acA,, and X €X,then d:oa-X EL; 
e ift,t’ EL, thent+?t EL. 


Let t € £. Then we refer to the subterms of t that have the form ¢ :— € or 
the form ¢:>4 a-X as the summands of t. 
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Table 3: Axioms for guarded linear recursion 
(X|E)=(t|E)  ifX=teE RDP 
E=>X=(X|E) if X €vars(E) RSP 


Let X be a variable from ¥ and let t be an ACP7-I term in which X 
occurs. Then an occurrence of X in t is guarded if t has a subterm of the 
form a-t’ where a € A and t’ contains this occurrence of X. An occurrence 
of a variable X in a linear ACP7-I term may not be guarded because a linear 
ACP7-I term may have summands of the form ¢:> 7- X. 

A guarded linear recursive specification over ACP7-I is a recursive 
specification {X; = t; | i € I} over ACP7-I where each ¢; is a linear ACP7-I 
term, and there does not exist an infinite sequence ip 71 ... over J such that, 
for each k € N, there is an occurrence of Xj,,, in ¢;, that is not guarded. 

A linearizable recursive specification over ACP7-I[ is a recursive specifica- 
tion {X; = t; |i € I} over ACPZ-I where each t¢; is rewritable to an ACP7-I 
term t/, using the axioms of ACP7-I in either direction and the equations in 
{X; =t;|j€IAi# j} from left to right, such that {X; = t, |i eI} isa 
guarded linear recursive specification over ACP7-I. 

A solution of a guarded linear recursive specification E over ACP7-I in 
some model of ACP7-I is a set {px | X € vars(E)} of elements of the carrier 
of that model such that each equation in E£ holds if, for all X € vars(E), 
X is assigned px. A guarded linear recursive specification has a unique 
solution under the equivalence defined in Section 5 for ACP7-I extended 
with guarded linear recursion. If {py | X € vars(E)} is the unique solution 
of a guarded linear recursive specification EF, then, for each X € vars(E), 
px is called the X-component of the unique solution of E. 

ACP7-I is extended with guarded linear recursion by adding constants 
for solutions of guarded linear recursive specifications over ACP7-I and ax- 
ioms concerning these additional constants. For each guarded linear recursive 
specification E’ over ACP?-I and each X € vars(F), a constant (X|E) of 
sort P, that stands for the X-component of the unique solution of FE, is 
added to the constants of ACP7-I. The equation RDP (Recursive Defini- 
tion Principle) and the conditional equation RSP (Recursive Specification 
Principle) given in Table 3 are added to the axioms of ACP7-I. In RDP and 
RSP, X stands for an arbitrary variable from 1, t stands for an arbitrary 
ACP?-I term of sort P, E stands for an arbitrary guarded linear recursive 
specification over ACP7-I, and the notation (t|£) is used for t with, for all 
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X € vars(£), all occurrences of X in t replaced by (X|F). Side conditions 
restrict what X, t, and E stand for. 

We write ACP7-I+REC for the resulting theory. Furthermore, we 
write Prec for the set of all closed ACP7-I+REC terms of sort P. 

RDP and RSP together postulate that guarded linear recursive speci- 
fications over ACP7-I have unique solutions: the equations (X|E) = (t|E) 
and the conditional equations FE = X =(X|F) for a fixed E express that 
the constants (X |) make up a solution of £ and that this solution is the 
only one, respectively. 

Because conditional equational formulas must be dealt with in ACP7- 
I+REC, it is understood that conditional equational logic is used in deriving 
equations from the axioms of ACP7-I+REC. A complete inference system 
for conditional equational logic can for example be found in [3, 24]. 

We write T+ t = t’, where T is ACP7-I+REC or ACP7-I+REC+CFAR 
(an extension of ACP7-I+REC introduced below), to indicate that the 
equation t = t’ is derivable from the axioms of T using a complete inference 
system for conditional equational logic. 

The following closed ACP7-I+REC term is reminiscent of a program 
that computes by repeated subtraction the quotient and remainder of dividing 
a non-negative integer by a positive integer (i,7,q,r € V): 


[q:= 0} - [r= 4] - (Q|E) , 


where F is the guarded linear recursive specification that consists of the 
following two equations (Q, R € %): 


Q=(r>j=t) 9 [¢g:=¢q4+1)-R+(r>j=ff):.e, 
t:3 [r:=r—7]-Q. 


The final values of g and r are the quotient and remainder of dividing the 
initial value of 7 by the initial value of 7. An evaluation operator can be used 
to show that this is the case for given initial values of i and 7. For example, 
consider the case where the initial values of 7 and j are 11 and 3, respectively. 
Let o be an evaluation map such that o(i) = 11 and o(j) = 3. Then the 
following equation can be derived from the axioms of ACP7-I+REC: 


Vo([g = 0] - [r = ¢] - (Q|E)) 
= |e 0) 2 (Pt 11 | (gi 1s Sb) eg 2) oP + (gs Se ree 
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This equation shows that in the case where the initial values of i and 7 are 11 
and 3 the final values of g and r are 3 and 2 (which are the quotient and 
remainder of dividing 11 by 3). 

Below, use will be made of a reachability notion for the variables 
occurring in a guarded linear recursive specification over ACP7-I. 

Let E be a guarded linear recursive specification over ACP7-I and let 
X,Y € vars(E£). Then Y is directly reachable from X in E, written X Be Ye 
if Y occurs in the right-hand side of the recursion equation for X in E. We 
write ~* for the reflexive transitive closure of ~>. 

Processes with one or more cycles of 7 actions are not definable by 
guarded linear recursion alone, but they are definable by combining guarded 
linear recursion and abstraction. An example is 


Tray ((X|{X =a-Y+b,Y =a-X +c})). 


The semantics of ACP7-I+REC presented in Section 5 identifies this with 
b+7-(b+c). However, the equation 


Tray (X|{X =a-¥Y +b, Y =a-X +c}))=b+7- (b+) 


is not derivable from the axioms of ACP7-I+REC. This is remedied by the 
addition of the equational axiom schema CFAR (Cluster Fair Abstraction 
Rule) that will be presented below. This axiom schema makes it possible 
to abstract from a cycle of actions that are turned into the unobservable 
action T, by which only the ways out of the cycle remain. The side condition 
on the equation concerned requires several notions to be made precise. 

Let E& be a guarded linear recursive specification over ACPZ-I, let 
C C vars(£), and let J C A. Then: 


e C is a cluster for I in E if, for each ACPZ-I term ¢:— a- X of sort P 
that is a summand of the right-hand side of the recursion equation for 
some X'€ C in E, X €C only if ¢=t andae€ IU {r};’ 


e for each cluster C for I in E, the exit set of C for I in E, written 
exits;.(C), is the set of ACPZ-I terms of sort P defined by t € 
exits;4(C) iff t is a summand of the right-hand side of the recursion 
equation for some X’ € C in EF and one of the following holds: 


—t=¢:>a-Y for some ¢ €C, a € A,, and Y € vars(F) such 
thata ¢IU{r} or Y €C; 
—t=¢: € for some ¢ € C; 


"We write = for syntactic equality. 
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Table 4: Cluster fair abstraction rule 


re t1((X|B)) = 7-11 (Stier) 
1=1 
if for some finite conservative cluster C' for J in FE, 
X €C and ezitsr,z(C) = {ti,...,tn} CFAR 


e C is a conservative cluster for I in E if G is a cluster for J in E and, 
for each X € C and Y € exits; p(C), X ~* Y. 


The cluster fair abstraction rule is presented in Table 4. In this table, X 
stands for an arbitrary variable from 4, E stands for an arbitrary guarded 
linear recursive specification over ACP7-I, J stands for an arbitrary subset 
of A, and t1,t2,... stand for arbitrary ACP7-I terms of sort P. A side 
condition restricts what X, E, J, and t,,te,... stand for. 

CFAR expresses that every cluster of 7 actions will be exited sooner 
or later. This is a fairness assumption made in the verification of many 
properties concerning the external behaviour of systems. 

We write ACP7-I+REC+CFAR for the theory ACP7-I+REC extended 
with CFAR. 


5 Bisimulation Semantics 


In this section, a structural operational semantics of ACP7-I+REC is pre- 
sented and a notion of branching bisimulation equivalence for ACP7-I+REC 
based on this structural operational semantics is defined. 

The structural operational semantics of ACP7-I+REC consists of 


e abinary conditional transition relation +. on Prec for each £ € EM xA,; 
e aunary successful termination relation '7}| on Pree for each o € EM. 


We write t 22% # instead of (t,t') € L2), and t {o}| instead of t € (7h. 
The relations from the structural operational semantics describe what 
the processes denoted by terms from Pyec are capable of doing as follows: 
et Maio, t’: if the data values assigned to the flexible variables are as 
defined by o, then the process denoted by ¢ has the potential to make 
a transition to the process denoted by t’ by performing action a; 
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e ¢ (|: if the data values assigned to the flexible variables are as defined 
by o, then the process denoted by t has the potential to terminate 
successfully. 


The relations from the structural operational semantics of ACP7-I+REC 
are the smallest relations satisfying the rules given in Table 5. In this 
table, 0 and o’ stand for arbitrary evaluation maps from €M, a stands for 
an arbitrary action from A,, a,b, and c stand for arbitrary actions from A, 
e€,e1,€2,... and e4, e,... stand for arbitrary terms from D, H stands for an 
arbitrary subset of A or the set A,, J stands for an arbitrary subset of A, 
@ stands for an arbitrary term from C, v stands for an arbitrary flexible 
variable from VY, X stands for an arbitrary variable from 7, t stands for 
an arbitrary ACP7-I term of sort P, and £ stands for an arbitrary guarded 
linear recursive specification over ACP7-I. 

The rules in Table 5 have the form EEL s, where s is optional. 
They are to be read as “if pj and ...and p, then c, provided s”. As usual, 
D1,-+-++;Pn are called the premises and c is called the conclusion. A side 
condition s, if present, serves to restrict the applicability of a rule. If a rule 
has no premises, then nothing is displayed above the horizontal bar. 

Because the rules in Table 5 constitute an inductive definition, t Blan . 
or t tt) holds iff it can be inferred from these rules. For instance, for 
a,b,c€ A, v,v' € V, and o € EM such that o(v) = o(v’), we have that 
(v=v'):>(a+b)-c 1934, ¢. ¢ can be inferred by applying the first rule, 
the third rule for +, the second rule for :—+, and the third rule for - in 
that order. 

Two processes are considered equal if they can simulate each other 
insofar as their observable potentials to make transitions and to terminate 
successfully are concerned, taking into account the assigments of data values 
to flexible variables under which the potentials are available. This can be 
dealt with by means of the notion of branching bisimulation equivalence 
introduced in [41] adapted to the conditionality of transitions in which the 
unobservable action 7 is performed. 

An equivalence relation on the set A; is needed. Two actions a, a’ € A; 
are data equivalent, written a ~ a’, iff one of the following holds: 


e there exists an a € A; such that a =a and a/ =a; 


e for some n € N*, there exist an a € A and ¢1,...,€n,€4,---,€), € D 
such that O - a=] evn OD © Oy = 6, a= Olaiycr.58y), and 

y / Ns 

OSM Ciace. 
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Table 5: Transition rules for ACP7-I 


atte, 
e (7h) 
x (7, y hy is {o}a “ye y {o}a a 


Beg tpl pip Oe Gay ABR p 


eh yh ete yttey 2 tte 
a-y th, pay {asa y! x-y {o}a a! -y 

x (oh, y eh x {o}a gy! Goes 
ily efjyttSarty afytt cqy’ 


OTS Pg MEE 


y(a,b) =e 
{o} 
x ||y SS || y' 
os {ot alers en), wl if {o} bet y-en), af 


: y(a,b) =c, D = o(e1 =e, A...ANen =2eh,) 
at || y zeae), or gy! 


fo}a 


go a! 
x Ly 22% 2’ |y 
spl op. 5 AOU 


x|y 22% a! | y! 


y(a,b) =c 


a {o}a(ey,...,en) {o} Metin), ; 


say 


x | y {o}c(e1,---, en) q! | y! 


y(a,b) =c, D = o(e1 =e, A...Aen =2eh,) 


{o} {ofa 

£ Le x = x a¢ H 
On(@) 7) Oy(a) SS Ox (v’) 

x {oh piBs oy! oat gah = ye 
r(x) H rp(x) 2% 77 (2’) rr(e) $27, 2;(2") 

z {o}a 

eA a og) 23" ab of) 
bia th bg ay 

x (oh pe pe 


Vela) lb yey 2a). Way 22S V9 
» febalersen), 1 fehl, oy 


Vo(x) 12 bale), Yo) Vo(n) =e 


Vof{o(e)/v}(2") 
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e there exist av € V and e,e’ € D such that D - e=e', a= [v:=el, 
and a! = [v:=e']. 


We write [a], where a € A,, for the equivalence class of a with respect to ~. 


For each o € €M, the binary relation ic}, On Pree defined as the 


reflexive transitive closure of +@*> is also needed. 
Moreover, we write t “~"s ¢/, where o © EM anda € A, for 
¢ 12%, v or both a =7 andt=¥. 

A branching bisimulation is a binary relation R on Pe. such that, for all 


terms t1, to € Prec with (t1,t2) € R, the following transfer conditions hold: 


e if t; Ake, t/, then there exist an a’ € [a] and t4,t5 € Pree such that 


to Ps 15, 1 9, 4, (t,t) © B, and (H, 4) € 
ott es t4, then there exist an a’ € [a] and t4,t] € Prec such that 
{oh pe ({o} a") 


ya ty th, ( i, t2) € R, and (t,t) ER; 


e if t, {oh then there exists a t3 € Prec such that te 13, Leste {oh and 
(ti, i) E R; 


e if to {oh then there exists a t] € Prec such that t, 413, eee {oh and 
(t}, tz) ER. 


If R is a branching bisimulation, then a pair (t;,t2) is said to satisfy the 
root condition in R if the following conditions hold: 


e if t; ere, t,, then there exist an a’ € [a] and a t € Pree such that 


igs, t, and (t4,t,) € R; 


e if to saa t5, then there exist an a’ € [a] and at) € Prec such that 


oe t, and (t4,t4) € R; 
e ty {ok iff to {oh 


Two terms tj, t2 € Prec are rooted branching bisimulation equivalent, written 
ti rp ta, if there exists a branching bisimulation R such that (t),t2) € R 
and (t1,t2) satisfies the root condition in R. 

In Section 7, it is proved that @,p is a congruence with respect to the 
operators of ACP7-I+REC of which the result sort and at least one argument 
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sort is P. Without the root condition, ;p would not be a congruence with 
respect to the operator +. For example, it would be the case that T- a “rb a 
and not T-a+b@ya-+ 0. 

Let R be a branching bisimulation such that (t1,t2) € R and the 
pair (ti,t2) satisfies the root condition in R. Then we say that R is a 
branching bisimulation witnessing ty rb ta. 


6 Interlude 


In the preceding sections, two relatively uncommon choices have been made: 


e the choice to include the rather unusual evaluation operators, i.e. Vz 
for each o € €M, in the operators of ACP7-I+REC; 


e the choice for a structural operational semantics of ACP7-I+REC with 
a transition relation + on Prec for each £ € EM x A,, while a transition 
relation — on Prec X EM for each £ € A, is arguably more common. 


In this short section, the reasons for these choices are clarified. 
The issues which influenced the above-mentioned choices most are: 


e the need for a variant of rooted branching bisimulation equivalence 
that is a congruence with respect to all operators of ACP7-I+REC; 


e the need for a coarser equivalence in cases where parallel composition, 
left merge, and communication merge are not involved. 


With the chosen kind of transition relations, the first need can be fulfilled 
with a simple and natural generalization of rooted branching bisimulation 
equivalence as originally introduced in [41], but with the more common kind 
of transition relations a less obvious variant of rooted branching bisimulation 
equivalence, a ‘stateless’ variant in the terminology of [32], has to be devised. 
As a consequence, with the chosen kind of transition relations, generalizations 
of existing proof techniques and proof ideas could be used in establishing the 
soundness and semi-completeness results presented in Section 7, whereas this 
would not be the case with the more common kind of transition relations. 
The variant of rooted branching bisimulation equivalence referred to at 
the beginning of the previous paragraph is the equivalence @,p introduced 
at the end of Section 5. In order to be a congruence with respect to parallel 
composition, left merge, and communication merge, @;p identifies two terms 
from Prec if the processes denoted by them can simulate each other even in 
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the case where the data values assigned to flexible variables may change after 
each transition — through assignment actions performed by parallel processes. 
The second need mentioned above is the need for an equivalence that does 
not takes such changes into account in cases where parallel composition, left 
merge, and communication merge are not involved. Two terms t,t! € Prec 
are equivalent according to this coarser equivalence iff V(t) @rb V(t’) for 
allo € EM. This means that the coarser equivalence is covered in the 
semantics of ACP7-I+REC by the choice to include the evaluation operators 
in the operators of ACP7-I+REC. 

We have that, for all t,t’ € Pree and 0 € EM, ACP?-I+REC+CFAR + 
Vo(t) = V(t’) iff Vo(t) 2b Vo(t’) (see Corollary 1 below). So the axioms 
of ACP7-I+REC+CFAR, which constitute an equational axiomatization of 
“rb, are also adequate for equational verification of the coarser equivalence. 

In [25], an extension of ACP with the empty process constant, the unary 
counterpart of the binary guarded command operator, and actions to change 
a data-state is presented. Evaluation maps can be taken as special cases 
of data-states. For similar reasons as in the case of ACP?-I+REC, there 
is a need for two equivalences. This is not dealt with by the inclusion of 
evaluation operators. Instead, in equational reasoning, certain axioms may 
only be applied to terms in which the parallel composition, left merge, and 
communication merge operators do not occur. 

In an appendix, a structural operational semantics of ACP7-I+REC 
is presented which is reminiscent of a symbolic operational semantics in 
the sense of [28]. It is a structural operational semantics with a transition 
relation > on Prec for each £ € C®* x A,, where C*™ is the set of all terms 
@ €C for which D F $ & f. In my opinion, this structural operational 
semantics is intuitively more appealing than the one presented in Section 5, 
but the definition of the variant of rooted branching bisimulation equivalence 
based on it is quite unintelligible. 


7 Soundness and Completeness 


In this section, soundness and (semi-)completeness results with respect to 
branching bisimulation equivalence for the axioms of ACP7-I+REC+CFAR 
are presented. 

Firstly, rooted branching bisimulation equivalence is an equivalence 
relation indeed. 


Proposition 1 (Equivalence) The relation rb is an equivalence relation. 
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Proof: It must be shown that “,p is reflexive, symmetric, and transitive. 

Let t € Prec. Then the identity relation J on Pye. is a branching bisim- 
ulation such that (t,t) € J and (t,t) satisfies the root condition in J. Hence, 
t rb t, which proves that @;b is reflexive. 

Let t1,t2 € Pree be such that t; @rb te, and let R be a branching 
bisimulation such that (t1,t2) € R and (t),t2) satisfies the root condition 
in R. Then R~! is a branching bisimulation such that (t2,t;) € R~' and 
(tg, t1) satisfies the root condition in R~!. Hence, tz @rb t1, which proves 
that @+rb is symmetric. 

Let t1,t2,t3 € Pree be such that t) “rm to and to @ rp ts, let R bea 
branching bisimulation such that (t,,t2) € R and (t1,t2) satisfies the root 
condition in R, and let S be a branching bisimulation such that (t2,t3) € S 
and (tg,t3) satisfies the root condition in S. Then Ro S is a branching 
bisimulation such that (t1,t3) € Ro S and (t1,t3) satisfies the root condition 
in RoS.2 That RoS is a branching bisimulation is proved in the same 
way as Proposition 7 in [4]. Hence, ti <b t3, which proves that <p is 
transitive. 


Moreover, rooted branching bisimulation equivalence is a congruence 
with respect to the operators of ACP7-I+REC of which the result sort and 
at least one argument sort is P. 


Proposition 2 (Congruence) For all terms t1,t',t2,th € Prec and all 

terms @ € C, ty rb te and t) Arp th only ifti +t) rm totth, t-t Sm te th, 

ty ||) Srb te || to, t1 | 4 Seb te I t,, ty | t| Sr te | to, On(t1) 2m Oy (t2), 
Tr(t1) rb Tr(t2), 6: t Sb G:- te, and Vo(t1) rb Vo(te). 


Proof: A detailed proof would contain an adapted copy of at least ten 
pages from [23]. Therefore, only an outline of the proof is given here. In 
order to fully understand the outline, the above-mentioned paper must 
be consulted. 

In [23], an SOS rule format is presented which guarantees that the 
‘standard’ version of branching bisimulation equivalence is a congruence. 
The format concerned is called the RBB safe format. Below, this format 
is adapted in order to deal with a set of transition labels that contains a 
special element {o}7 for each o € EM instead of a single special element 7 
and with a slightly different version of branching bisimulation equivalence. A 
definition of a patience rule is needed that differs from the one given in [23]: 


SWe write Ro S for the composition of R with S. 
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a patience rule for the ith argument of an n-ary operator f is a path rule of 
the form 


Xi aa ¥ 


yg os eee ee ee te ee re Aekr, A cs eee es ee eee 
where 0 € EM. The RBB safe format is adapted by making the following 
changes to the definition of the RBB safe format as given in [23]: 


e in the two syntactic restrictions of the RBB safe format that concern 
wild arguments, the phrase “a patience rule” is changed to “a patience 
rule for each 0 € EM”; 


e in the second syntactic restrictions of the RBB safe format that concern 
wild arguments, the phrase “the relation >” is changed to “the relation 
<7", for some o € EM”. 


It is straightforward to check that the proof of Theorem 3.4 from [23] goes 
through for the adapted RBB safe format and the version of branching 
bisimulation equivalence considered in this paper. This means that the 
proposition holds if the rules in Table 5 are in the adapted RBB safe format 
with respect to some tame/wild labeling of arguments of operators. It is 
easy to verify that this is the case with the following tame/wild labeling: 
both arguments of + are tame, the first argument of - is wild and the second 
argument of - is tame, both arguments of || are wild, both arguments of || 
and | are tame, the argument of Oy and 77 is wild, the second argument of 
:— is tame, and the argument of V, is wild. 


The tame/wild labeling given at the end of the proof of Proposition 2 is 
provided so that the reader who consults [23] can easily check that the rules 
in Table 5 are in the adapted RBB safe format. 
Below, the soundness of the axiom system of ACP7-I+REC+CFAR 
with respect to @;p for equations between terms from Pye. will be established. 
The following terminology will be used in the soundness proof: 


e an equation eq of ACP7Z-I+REC terms of sort P is said to be valid 
with respect to “rb if, for each closed substitution instance t = t’ of eq, 
t rb t! and 


e a conditional equation ceq of ACP7-I+REC terms of sort P is said to 
be valid with respect to “rb if, for each closed substitution instance 
{t,=t |ieT} stat of ceq, t@nt’ if t; Qn th for eachie€ I. 
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Theorem 1 (Soundness) For all terms t,t! © Prec, t = t’ is derivable 
from the axioms of ACP7-I+-REC+CFAR only if t rn t’. 


Proof: Because “;p is a congruence with respect to all operators from 
the signature of ACP7-I+REC+CFAR, only the validity of each axiom of 
ACP7-I+REC+CFAR has to be proved. 

Below, we write csi(eq), where eg is an equation of ACP7-I+REC terms 
of sort P, for the set of all closed substitution instances of eg. Moreover, we 
write Rjq for the identity relation on Pree. 

For each axiom az of ACP7-I+REC+CFAR, a rooted branching bisim- 
ulation Rg, witnessing the validity of az can be constructed as follows: 


e if az is one of the axioms A7, CM2E, CM5E, CMG6E, GC2 or an instance 
of one of the axiom schemas DO, D2, T0, GC3, V0, CM7Db-—CM7DE: 


Rye =A) |€=1e e51(an)}s 
e if ax is one of the axioms Al—A6, A8, A9, CM4, CM8-CM9, GC1 


or an instance of one of the axiom schemas CM3, CM7, D1, D3, D4, 
T1-T4, GC4-GC12, V1-V6, CM7Da, RDP: 


Ree =) | tH? Se esi( ae) U Bigs 
e if az is CMI1E: 
Re = {tF) |t=t € esi(ary) 
U {(t,t) |t=t € csi(a lly = y || ce) }U Ria ; 
e if ax is an instance of BE: 
Rae = {(60) [t=] cst(az)} 
U{(t,t) |t=t € esi(r-(a@+y)+a=ar+y)}U Rig 5 


e if ax is an instance of BED: similar; 


n 


e if ax is an instance T- 77((X|E)) =7- Tr (Sot) of CFAR: 


=n (XIE), oe My 
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where C is the finite conservative cluster for J in EF such that X € C 
and exits; n(C) = {t1,..., tn}; 


e if az is an instance {X; = t; | 1 € I} > Xj; = (X,|{4X7 = t | 7 © T}) 
(j € I) of RSP: 


Ra = {(O(Xj), (Agl{ Xi = ti | t € T})) 
JETAVGEON Ager O( XG) Sin OG) } U Rig ; 


where @ is the set of all functions from Y to Pree and 6(t), where 
0€ O and t € Pre, stands for t with, for all X € 4%, all occurrences of 
X replaced by @(X). 


For each equational axiom az of ACP7-I+REC+CFAR, it is straightforward 
to check that the constructed relation Rg, is a branching bisimulation wit- 
nessing, for each closed substitution instance t = t’ of az, t 2p t’. For each 
conditional equational axiom az of ACP7-I+REC+CFAR, i.e. for each in- 
stance of RSP, it is straightforward to check that the constructed relation Rg, 
is a branching bisimulation witnessing, for each closed substitution instance 
{i =t |te TD} stat of az, tnt if t; Sr t for each i € I. 


The axioms of ACP7-I+REC+CEFAR are incomplete with respect to 
+b for equations between terms from Pye. and there is no straightforward 
way to rectify this. Below two semi-completeness results are presented. The 
next two lemmas are used in the proofs of those results. 

A term t © Prec is called abstraction-free if no abstraction operator 
occurs in t. A term t € Pree is called bool-conditional if, for each ¢ € C that 
occurs int, D EF dStorDE Gf. 


Lemma 1 For all abstraction-free t € Prec, there exists a guarded lin- 
ear recursive specification E and X € vars(E) such that ACP7Z-I+REC + 
t= (X|F). 


Proof: This is easily proved by structural induction on t. The proof 
involves constructions of guarded linear recursive specifications from guarded 
linear recursive specifications for the operators of ACPZ-I other than the 
abstraction operators. For the greater part, the constructions are reminiscent 
of operations on process graphs defined in Sections 2.7 and 4.5.5 from [3]. 
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Lemma 2 For all bool-conditional t € Prec, there exists a guarded linear 
recursive specification E and X € vars(F) such that ACP7-I+REC+CFAR + 
t= (X|E). 


Proof: This is also proved by structural induction on t. The cases other 
than the case where t is of the form 7;(t’) are as in the proof of Lemma 1. 
The case where t is of the form 7/(t’) is the difficult one. It is proved in the 
same way as it is done for ACP’ +REC+CFAR in the proof of Theorem 5.6.2 
from [22]. 


The difficult case of the proof of Lemma 2 is the only case in which an 
application of CFAR is involved. 

The following two theorems are the semi-completeness results referred 
to above. 


Theorem 2 (Semi-completeness I) For all abstraction-free t,t! € Pree, 
ACPT-I+RECE t=? ift nt’. 


Proof: Because of Lemma 1, Theorem 1, and Proposition 1, it suf- 
fices to prove that, for all guarded linear recursive specifications E and E’ 
with X € vars(#) and X’ € vars(E’), ACP7-I+REC - (X|F) = (X’|E’) 
if (X|E) @ (X’|E’). This is proved in the same way as it is done for 
ACP’+REC in the proof of Theorem 5.3.2 from [22]. 


Theorem 3 (Semi-completeness II) For all bool-conditional t,t’ € Pree, 
ACP7-I+REC+CFARF t=? ift Smt’. 


Proof: Because of Lemma 2, Theorem 1, and Proposition 1, it suffices 
to prove that, for all guarded linear recursive specifications E and E’ with 
X € vars(F) and X’ € vars(E’), ACP7-I+REC+CFAR + (X|E) = (X’'|E’) 
if (X|E) @ (X’|E’). This is proved in the same way as it is done for 
ACP’+REC in the proof of Theorem 5.3.2 from [22]. 


It is due to sufficiently similar shapes of linear ACP7-I terms and linear 
ACP’ terms that parts of the proof of Theorems 2 and 3 go in the same way 
as parts of proofs from [22]. It needs mentioning here that, the body of the 
proof of Theorem 5.3.2 from [22] is restricted to constants (X|E) where E 
does not contain equations Y=7+...+7 with Y # X. The corresponding 
part of the proof of Theorems 2 and 3 is likewise restricted to constants 
(X|E) where F does not contain equations Y = ¢, :37+...+¢,:9T 
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with Y # X. This is not because such an equation can be eliminated, but 
because it can be replaced by Y = ¢, V...V bn: €. 
The following is a corollary of Theorems 1 and 3. 


Corollary 1 For all t,t! € Prec, for allo € EM, ACPT-I+REC+CFAR + 
Vo(t) = Vo(t’) uf V(t) rb Vo(t’). 


8 Information-Flow Security 


In this section, it will be explained how ACP7-I can be used for information- 
flow security analysis of the kind that is concerned with the leakage of 
confidential data. However, first, a general idea is given of what information- 
flow security is about and what results have been produced by research on 
this subject. 

Consider a program whose variables are partitioned into high-security 
variables and low-security variables. High-security variables are considered to 
contain confidential data and low-security variables are considered to contain 
non-confidential data. The information flow in the program is called secure 
if information derivable from data contained in the high-security variables 
cannot be inferred from data contained in the low-security variables. Secure 
information flow means that no confidential data is leaked. A well-known 
program property that guarantees secure information flow is non-interference. 
In the case where the program is a deterministic sequential program, non- 
interference is the property that the data initially contained in high security 
variables has no effect on the data finally contained in low security variables. 

Theoretical work on information-flow security is already done since the 
1970s (see e.g. [5, 17, 18, 14, 15]). A great part of the work done until now 
has been done in a programming-language setting. This work has among 
other things led to security-type systems for programming languages. The 
languages concerned vary from languages supporting sequential program- 
ming to languages supporting concurrent programming and from languages 
for programming transformational systems to languages for programming 
reactive systems (see e.g. [42, 40, 12, 34, 10]). 

However, work on information-flow security has also been done in a 
process-algebra setting. In such a setting, the information flow in a process 
is generally called secure if information derivable from confidential actions 
cannot be inferred from non-confidential actions (see e.g. [20, 36, 11, 31]). So, 
in a process-algebra setting, secure information flow usually means that no 
confidential action is revealed. Moreover, in such a setting, non-interference 
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is the property that the confidential actions have no effect on the non- 
confidential actions. Recently, work done on information-flow security in a 
process-algebra setting occasionally deals with the data-oriented notion of 
secure information flow, but on such occasions program variables are always 
mimicked by processes (see e.g. [21, 29]). ACPZ-I obviates the need to mimic 
program variables. 

In the rest of this section, the interest is in processes that are carried 
out by systems that have a state comprising a number of data-containing 
components whose content can be looked up and changed. Moreover, the 
attention is focussed on processes, not necessarily arising from the execution 
of a program, in which (a) confidential and non-confidential data contained 
in the state components of the system in question are looked up and changed 
and (b) an ongoing interaction with the environment of the system in 
question is maintained where data are communicated in either direction. In 
the terminology of ACP7-I, the state components are called flexible variables. 
From now on, processes of the kind described above are referred to as 
processes of the type of interest. The processes that are carried out by many 
contemporary systems are covered by the processes of the type of interest. 

The point of view is taken that the information flow in a process of the 
type of interest is secure if information derivable from the confidential data 
contained in state components cannot be inferred from its interaction with 
the environment. A process property that guarantees secure information 
flow in this sense is the property that the confidential data contained in 
state components has no effect on the interaction with the environment. 
This property, which will be made more precise below, is called the DNII 
(Data Non-Interference with Interactions) property. For a process with this 
property, differences in the confidential data contained in state components 
cannot be observed in (a) what remains of the process in the case where only 
the actions that are performed to interact with the environment are visible 
and (b) consequently in the data communicated with the environment. 

For each closed ACP7-I+REC term P of sort P that denotes a process 
of the type of interest, it is assumed that the following has been given: 


e aset Low? CV of low-security flexible variables of P; 


e aset Ext? C AUUnen+{a(e1,---,€n) | @ € ANei,..-,€n € D} of 
external actions of P. 


For each closed ACP?{-I+REC term P of sort P that denotes a process of 
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the type of interest, we define the following sets: 


High? ={v eV? |u¢ Low"}, 
Int? ={ae AP lag Ext?}, 


where 


VP = {v EV |v occurs in P} , 

AP = {a €A|aoccurs in P} 
U Unent {a(o(er),---,7(€n)) |o € EM Aalei,...,€n) occurs in P} 
U {[v :=a(e)] |o € EM A |v :=e] occurs in P} . 


High" is called the set of high-security flexible variables of P and Int? is 
called the set of internal actions of P. 

The flexible variables in Low” are the flexible variables of P that contain 
non-confidential data and the flexible variables in High’ are the flexible 
variables of P that contain confidential data. The actions in Ext’ are the 
actions that are performed by P to interact with the environment and the 
actions in Int? are the actions that are performed by P to do something else 
than to interact with the environment. The actions in Int” are considered 
to be invisible in the environment. In earlier work based on a purely action- 
oriented notion of secure information flow, the actions in Ext? and Int? 
are called low-security actions and high-security actions, respectively, or 
something similar. 

For each closed ACP7-I+REC term P of sort P that denotes a process 
of the type of interest, P has the DNII property iff 


ACPT-I+REC+CFAR E 7,,,P(Vo(P)) = TP (Vor (P)) 


for all evaluation maps o and o’ such that o(v) = o/(v) for all v € Low”. 
This definition is justified by the fact, which follows from Corollary 1, 
that 
ACP7-I+REC+CFAR F 7,,4° (Vo(P)) = TinpP (Vor (P)) 
iff Typ (Vo(P)) rb Tine? (Vor (P)) - 


The left-hand side and the right-hand side of the equation in the above 
definition denote the processes that remain of the process denoted by P in 
the case that the data values assigned to the flexible variables are initially as 
defined by o and o’, respectively, and moreover all internal actions of P are 
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not visible. The condition imposed on the evaluation maps o and o’ tells us 
that the equation must always hold if, for each low-security flexible variable 
of P, the data values assigned to it according to o and o’ are the same. This 
corresponds to the intuitive idea mentioned above that, for a process with 
the DNII property, differences in the confidential data cannot be observed 
in what remains of the process in the case where only the actions that are 
performed to interact with the environment are visible. 

Assume that h,l € V and a,b € A. Let P be the closed ACP7-I+REC 


term 
(h =0):> [P:=141)-a4+7(h=0):5a-[l:=1+1)+0 


of sort P with Low” = {1} and Ext? = {a,b}. P is a very simple example 
of a term of which it may not be immediately clear that it denotes a process 
that does not have the DNII property. Notice that, by definition, h € High” 
and [l:=1+1] € Int’. When [l:=1+ 1] is performed, this cannot be observed 
in the externally observable process because {/ := 1+ 1] is an internal action. 
This means that, irrespective of the value that is initially assigned to h, the 
externally observable process performs either a or 6 and after that terminates 
successfully. This is why the process denoted by P may seem to have the 
DNII property. However, at the point that the externally observable process 
has the option to perform a, it has also the option to perform b in the case 
where the value initially assigned to h is not 0, while it does not have also 
the option to perform b in the case where the value initially assigned to h 
is 0. In other words, the externally observable process in the former case 
differs from the externally observable process in the latter case. This means 
that, whether or not 0 is initially assigned to h can be inferred from the 
externally observable process. Hence, the informal conclusion is that P 
denotes a process that does not have the DNII property. More formally, this 
conclusion follows from the definition of the DNII property: we have 


ACP?-I+REC+CFAR £ 7;,,P(Wo(P)) =7T- a+b 
for all evaluation maps o such that o(h) = 0 and we have 
ACP7-I+REC+CFAR F 7,,,°(Vo"(P)) =a+b 
for all evaluation maps o’ such that o’(h) 4 0, but we do not have 


ACP7-I+REC+CFARF 7-a+b=a+b. 
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In CSP, [16], presumably the only imperative process algebra that 
supports abstraction from actions that are considered not to be visible, the 
DNII property cannot be defined. The cause of this is that abstraction 
from actions that are considered not to be visible means in CSP, that these 
actions are simply removed. Because of that processes such as T,,,P (Vo(P)) 
and 7,,,.P(Wo/(P)) from the example given above are equated. 

Assume that h,l € V and a,b € A. Let Q be the closed ACP7-I+REC 


term 
(h = 0): [l:=141)-a4+7(h =0):5 [1:=1-1]-a+b 


of sort P with Low? = {1} and Ext? = {a,b}. Q is a very simple example 
of a term that denotes a process that has the DNII property. This follows 
from the definition of the DNII property: we have 


ACPT-I+REC+CFAR F 7;,,0(Vo(Q)) =T-a+b 
for all evaluation maps o such that o(h) = 0, we have 
ACP?-I+REC+CFAR F 7;,,0(Vo(Q)) =T-a+b 
for all evaluation maps o’ such that o/(h) 4 0, and we trivially have 
ACP7-I+REC+CFARIF 7-a+b=7T-a+b. 


The DNII property is only one of the process properties related 
to information flow security that can be defined and verified in ACPZ- 
I+REC+CFAR. Insofar as information flow security of contemporary sys- 
tems is concerned, it seems to be an essential property. The DNII property 
is also one of the process properties related to information flow security 
that cannot be defined naturally in the process algebras used in earlier work 
on information flow security (cf. [20, 36, 11, 31]). The problem with those 
process algebras is that state components must be mimicked by processes 
in them. 

The DNII property concerns the non-disclosure of confidential data, 
contained in state components of a system, through the possibly ongoing 
interaction of the system concerned with its environment. To my knowledge, 
such a property has not been proposed in the literature on information- 
flow security before. However, the DNII property is reminiscent of the 
combination of data non-interference and event non-interference as defined 
in [37], but a comparison is difficult to make because of rather different 
semantical bases. 
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9 Concluding Remarks 


I have introduced an ACP-based imperative process algebra. This process al- 
gebra distinguishes itself from imperative process algebras such as VPLA [27], 
IPAL [33], CSP, [16], AWN [19], and the process algebra proposed in [13] 
by the following three properties: (1) it supports abstraction from actions 
that are considered not to be visible; (2) a verification of the equivalence of 
two processes in its semantics is automatically valid in any semantics that is 
fully abstract with respect to some notion of observable behaviour; (3) it 
offers the possibility of equational verification of process equivalence. 


Properties (1)—(3) have been achieved by the inclusion of the silent step 
constant 7 and the abstraction operators 7; in the constants and operators of 
the process algebra, the use of the rooted branching bisimulation equivalence 
relation yp for the equivalence of processes in its semantics, and the provision 
of the equational axiomatization of “rp. 


The axioms of the presented imperative process algebra are not complete 
with respect to the equivalence of processes in its semantics. There is no 
straightforward way to rectify this. However, two semi-completeness results 
that may be relevant to various applications of this imperative process 
algebra have been established. One of those results is at least relevant to 
information-flow security analysis. The finiteness and linearity restrictions 
on guarded recursive specifications are not needed for the uniqueness of 
solutions. However, there would be no semi-completeness results without 
these restrictions. 


In this paper, I build on earlier work on ACP. The axioms of ACP? 
have been taken from Section 5.3 of [3] and the axioms for the guarded 
command operator have been taken from [2]. The evaluation operators have 
been inspired by [7] and the data parameterized action operators have been 
inspired by [8]. 
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Appendix: Alternative Bisimulation Semantics 


In this appendix, an alternative to the structural operational semantics of 
ACP?-I+REC is presented and a definition of rooted branching bisimulation 
equivalence for ACP7-I+REC based on this alternative structural operational 
semantics is given. This appendix is strongly based on Section 4 of [9]. 

We write C* for the set of all terms ¢ € C for which D F # Sf. As 
formulas of a first-order language with equality of D, the terms from C*“ 
are the formulas that are satisfiable in 9. 

The alternative structural operational semantics of ACP7-I+-REC con- 
sists of 


e abinary conditional transition relation 4, on Pree for each £ € C8 x A,; 
e a unary successful termination relation {oh on Prec for each ¢ € C8. 


We write t 22° ¥ instead of (t,t/) € 6), and t {}| instead of t € th. 
The relations from this structural operational semantics describe what 
the processes denoted by terms from Pye, are capable of doing as follows: 
et Asha, t’: if condition ¢ holds for the process denoted by t, then this 
process has the potential to make a transition to the process denoted 
by t/ by performing action a; 


e ¢ ‘¢: if condition ¢ holds for the process denoted by t, then this 
process has the potential to terminate successfully. 


The relations from this structural operational semantics of ACPT- 
I+REC are the smallest relations satisfying the rules given in Table 6. 
In this table, a stands for an arbitrary action from A,, ¢@ and w stand for 
arbitrary terms from C*, a,b, and c stand for arbitrary basic actions from A, 
e€,€1,€2,... and e4,e5,... stand for arbitrary terms from D, H stands for 
an arbitrary subset of A or the set A,, J stands for an arbitrary subset 
of A, o stands for an arbitrary evaluation map from EM, v stands for an 
arbitrary flexible variable from VY, X stands for an arbitrary variable from 
X, t stands for an arbitrary ACP7-I term of sort P, and F stands for an 
arbitrary guarded linear recursive specification over ACP?-I. 

The alternative structural operational semantics is such that the struc- 
tural operational semantics presented in Section 5 can be obtained by re- 
placing each transition t 2°; ¢’ by a transition t “4% ¢/ for each o € EM 
for which D & o(¢), and likewise each t ‘J. 
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Table 6: Transition rules for ACP7-I 


att, «fh a+tylh ety x4 y {ho 4 y iors, y’ 
bee {o}a 

aay MOONY, eyes yy cy Seley 
x {Ph y Ch DE éApet ‘i a! y = y! 
eee’) zy 22s aorlly cllyeSaoly 

{¢}a {p}o 
; me V o(a,d)=6 DK ADEE 
«|| y —— 2’ || y’ 

"p {o} a(ers-en), ey r {HF bet en), “ eb) = y. 


DE ¢AvAa =e, A...Aen =e, of 


| 7 {orwrcr=e1..-Aen=en} celery en), at | y! 
x {o}a a! 
o 
wy 2% «ly 
{¢}a {y}b., 
xr ©, y — > Y = 
ae (a,b) =, DE ADEE 


xl y——=> 2’ || y’ 


ip {o} a(er,1en),, a, y (} OCCT en), i 
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$ {e}7 
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(t|E) {hy (tz) 42, 
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(X|E) te (X|B) 222% a! 
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Two processes are considered equal if they can simulate each other 
insofar as their observable potentials to make transitions and to termi- 
nate successfully are concerned. In the case of the alternative structural 
operational semantics, there are two issues that together complicate matters: 


e simply relating a single transition of one of the processes to a single 
transition of the other process does not work because a transition of 
one process may be simulated by a set of transitions of another process; 


e simply ignoring all transitions in which the unobservable action 7 
is performed does not work because the observable potentials to 
make transitions and to terminate successfully may change by such 
transitions. 


The first issue is illustrated by the processes denoted by ¢V ~ :> a and 
d:7a+w:—a: the only transition of the former process is simulated by 
the two transitions of the latter process. The second issue is illustrated 
by the processes denoted by a+7-6 and a+b: by making the transition 
in which the unobservable action 7 is performed, the former process loses 
the potential to make the transition in which the observable action a is 
performed before anything has been observed, whereas this potential is a 
potential of the latter process so long as nothing has been observed. 

The first issue alone can be dealt with by means of the notion of splitting 
bisimulation equivalence introduced in [7] and the second issue alone can 
be dealt with by means of the notion of branching bisimulation equivalence 
introduced in [41] adapted to the conditionality of transitions in which the 
unobservable action 7 is performed. In order to deal with both issues, the 
two notions are combined. 

We write ¢ “#2, t', where @ € C* and a € A,, fort AGO, or 
a=7,t=f 2nd) Soe t 

The notation \/ ®, where ® = {¢1,...,¢n} and ¢},...,¢@, are ACP7-I 
terms of sort C, is used for the ACP7-I term ¢1 V...V @n. 

An ab-bisimulation is a binary relation R on P;e. such that, for all 
terms ty, t2 © Prec with (t1,t2) € R, the following transfer conditions hold: 


e if ty Bilan t,, then there exists a finite set UV C cs such that 
DE ¢=>V\ VW and, for all w € W, there exists an a’ € [a] and, for 
some n € N, there exist t8,...,t2,th € Pree and wt,...,u", wv’ € cst 
such that D K PSwAVvtA...AY", tf = te, for all ic N withi <n, 


z t+1 = , NA 
ti Boe ci i and (yi eRe (ite), t,, and (t',,t4) € R; 
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e if to age, tas then there exists a finite set UV C C** such that 


DE ¢=>\W and, for all w € WU, there exists an a’ € [a] and, for 
some n €N, there exist ¢?,...,t7,t1 © Prec and y1,...,~",y' € CoH 
such that D K Pew AytA...AY", tf = ti, for all i ¢ N withi <n, 


. a+1 T e y y 
ti ave tt and (ft) € Ret? ae, t;, and (t),t5) € RB; 


e ift, ‘*|, then there exists a finite set UV C C* such that D E 6 = VV 
and, for all w € W, for some n EN, there exist t9,...,t3 € Pree and 
w,...,¥7,v' € C8 such that D F oo ap AYIA...AY™, #9 = te, for 


F i+1 T E : r 
all i € N with i <n, th 2% #4 and (ty, 154) € R, and tf (; 


e ift, |, then there exists a finite set V C C* such that D E ¢6=> Vw 
and, for all ~ € W, for some n EN, there exist t9,...,t7 € Pree and 
w,..., 0," € C8 such that D K pow AYlA...AYv", 2 = ti, for 


: i+ly . ; j 
all i € N with i <n, ti 2, #4 and (ti*1,t2) € R, and #7 


If R is an ab-bisimulation, then a pair (ti,t2) is said to satisfy the root 
condition in R if the following conditions hold: 
e if ty age. t,, then there exists a finite set UV C C&* such that 
DE ¢=>V VW and, for all wy € W, there exist an a’ € [a] and a 
th € Pree such that te ease th and (t1,t4) € R; 


e if to BUA tos then there exists a finite set UW C C* such that 


D - ¢=>\W and, for all w € W, there exist an a’ € [a] and a 
t © Prec such that ty euion t and (t1, 5) € R; 


e ift, {%|, then there exists a finite set U C C* such that D E 63 VV 
and, for all 7) € W, to Mt; 


e ift, 1%, then there exists a finite set UV C C*“ such that] - d= VU 
and, for all w) € W, ty ML. 


Two terms tj,tg € Pree are rooted ab-bisimulation equivalent, written 
ti “rab ta, if there exists an ab-bisimulation R such that (t1,t2) € R and 
(ti, tz) satisfies the root condition in R. 

In the absence of the constant 7, rooted ab-bisimulation equivalence is 
essentially the same as splitting bisimulation equivalence as defined in [7]. 
In the absence of all terms of sort C other than the constants t and f, rooted 
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ab-bisimulation equivalence is essentially the same as rooted branching 
bisimulation equivalence as defined in [41]. 


I conjecture that, for all terms t1, ta € Prec, ti rb ta iff t1 Grab ta. 
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